EU DORA · Testing
Digital operational resilience testing, demystified
The EU Digital Operational Resilience Act makes testing a legal duty for financial entities. Understand what you must test, how often, and where advanced threat-led testing kicks in.
- Based on Regulation (EU) 2022/2554
- In force since Jan 2025
- Vendor-neutral
What is DORA
Testing your resilience is no longer optional
DORA is an EU regulation that makes digital operational resilience — including regular testing — a binding requirement for the financial sector.
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has applied across the EU since 17 January 2025. It sets uniform requirements for how financial entities manage and prove their resilience to ICT disruptions.
One of its five pillars is digital operational resilience testing. Entities must run a documented, risk-based testing programme and test the ICT systems supporting critical or important functions at least once a year, using independent, qualified testers.
The most significant entities go further: they must undergo advanced threat-led penetration testing (TLPT) every three years, modelled on real-world attacks. This guide focuses on the testing pillar — who must do what, and how often.
The testing regime
What DORA actually requires you to test
Four essentials that define the resilience-testing pillar.
- PROGRAMME
A testing programme
Not ad-hoc checks — DORA requires a documented, risk-based testing programme covering the ICT systems that support your important and critical functions.
- BASELINE
Baseline tests, yearly
At least annually, entities run tests such as vulnerability assessments and scans, network security assessments, source-code reviews and scenario-based testing on critical systems.
- TLPT
Threat-led pen testing
Significant entities must perform advanced threat-led penetration testing (TLPT) at least every three years, modelled on the TIBER-EU framework and real threat intelligence.
- INDEPENDENT
Independent testers
Testing must be carried out by qualified, independent parties. For TLPT, testers must meet strict competence and independence criteria set out in the regulation.
What to test
The testing types, and how often
DORA expects a layered programme. These are the main test types and their cadence.
- Baseline · yearly
Vulnerability assessments & scans
Regular automated and manual assessment of weaknesses across ICT assets supporting important functions.
Under DORA: Part of the required baseline testing programme.
- Baseline · yearly
Penetration testing
Hands-on testing of critical systems to find exploitable weaknesses before an attacker does.
Under DORA: Expected within the annual programme for critical systems.
- Programme
Scenario-based & resilience tests
Exercises that test detection, response, business continuity and recovery — not just prevention.
Under DORA: Evidence that ICT can withstand and recover from disruption.
- Advanced · 3 years
Threat-led penetration testing (TLPT)
Intelligence-led, red-team-style testing against live systems, mandatory for significant entities.
Under DORA: Required at least every three years for in-scope entities.
Applicability check
Does DORA testing apply to you — and what’s required?
Answer a couple of questions for a plain-English indication of your testing obligations. This is guidance, not legal advice.
Is your organisation an EU financial entity — or a critical ICT provider to one?
How would a supervisor most likely classify you?
DORA applies proportionately to your size, risk profile and complexity.
DORA may not bind you directly
DORA applies to EU financial entities and their critical ICT providers. If you are neither, its testing rules likely don’t bind you directly — but you may still be asked to support a client’s resilience testing. If you’re unsure of your status, it’s worth confirming.
Check your scopeA proportionate testing programme
You must run a risk-based testing programme with baseline tests — such as vulnerability assessments and scans — at least yearly on the ICT supporting your important functions. Simplifications may apply to smaller entities, but testing by independent, qualified parties is still expected.
Plan your DORA testingA full annual testing programme
You must maintain a documented testing programme and test ICT systems supporting critical or important functions at least once a year — including vulnerability assessments, network security assessments, penetration testing and scenario-based tests — carried out by independent testers.
Plan your DORA testingFull programme + TLPT every 3 years
On top of the annual programme, significant entities must undergo advanced threat-led penetration testing (TLPT) at least every three years — modelled on the TIBER-EU framework, using real threat intelligence against live production systems. Testers must meet strict independence and competence criteria.
Talk to OffSeq about TLPTYou’ll be drawn into your clients’ testing
ICT third-party providers to financial entities face contractual resilience obligations and are expected to support clients’ testing. Providers designated as critical fall under direct EU oversight. Being demonstrably test-ready is increasingly a commercial necessity.
Get test-readyIndicative only — classification and exact obligations depend on your supervisor’s assessment and the applicable regulatory technical standards. Confirm your status with a qualified adviser.
The facts
DORA at a glance
A regulation in force now, with real scope and real testing duties.
Each figure links to its primary source. Scope estimates are approximate; confirm your own status with a qualified adviser.
For security & compliance teams
Turn the testing pillar into a working programme
DORA doesn’t just ask whether you test — it asks whether you can evidence a documented, independent, risk-based programme.
DORA requires financial entities to establish, maintain and review a sound and comprehensive digital operational resilience testing programme, and to test ICT systems supporting critical or important functions at least yearly using independent parties.
-
Map critical functions first
Scope the ICT systems that support your important and critical functions — that’s what the testing programme must cover.
-
Layer the test types
Combine vulnerability assessments, penetration testing and scenario-based tests into a coherent annual programme, not one-off checks.
-
Use independent testers
DORA expects testing by qualified, independent parties — and TLPT has strict criteria for who may test.
-
Evidence everything
Document findings, remediation and retesting. Supervisors want proof the programme works, not just that a test happened.
Guides
Go deeper
Plain-English guides to DORA’s testing requirements and how to meet them.
-
DORA testing requirements: what financial entities must test
DORA makes resilience testing a legal duty. Here’s the programme it requires, the test types, the cadence, and who must do the testing.
Read guide -
DORA TLPT explained: threat-led penetration testing
For significant entities, DORA mandates advanced threat-led penetration testing. Here’s what TLPT is, who must do it, and how it works.
Read guide -
DORA testing checklist: how to prepare and stay compliant
A practical checklist to build and evidence a DORA-compliant resilience-testing programme — from scoping critical functions to remediation.
Read guide
Frequently asked questions
Short, clear answers
What is DORA?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is an EU regulation, in force since 17 January 2025, that sets uniform ICT risk-management, incident-reporting, resilience-testing and third-party-risk requirements for the financial sector.
What testing does DORA require?
A documented, risk-based testing programme, with the ICT systems supporting critical or important functions tested at least yearly — using tests such as vulnerability assessments, penetration testing and scenario-based exercises, performed by independent parties. See the requirements →
Who is in scope of DORA?
A broad range of EU financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers and more — plus their critical ICT third-party providers.
What is TLPT under DORA?
Threat-led penetration testing: advanced, intelligence-led red-team testing of live systems, required of significant entities at least every three years and modelled on the TIBER-EU framework. More on TLPT →
How often must we test under DORA?
The baseline programme requires testing of critical and important ICT systems at least once a year. Significant entities must additionally undergo TLPT at least every three years.
Can we use our own staff to test?
DORA requires testing by independent, qualified parties, and allows internal testers only under conditions (with safeguards for independence). TLPT in particular has strict criteria on tester competence and independence. See how to prepare →
What happens if we don’t comply?
DORA is directly applicable and enforced by national competent authorities, which can require remediation and impose penalties. Beyond fines, an untested resilience posture is a real operational and reputational risk.